Congratulations on your latest job – data controller

Meeting the demands of the forthcoming EU-wide General Data Protection Regulation may be a new and unwelcome cost of doing business but, says Marilyn Cole, there will also be opportunities for advisers

Financial advisers are on the verge of gaining another unsought-after role to add to the half dozen they already have – this time in the realm of data protection. As ‘data controllers’, they face a wide range of new obligations in terms of the client data they use and share with partner firms.

At the start of August, advisers may well have noted the headlines about the government promising a new Data Protection Act, with the aim of enshrining a ‘right to be forgotten’ – and the suggestion individuals and especially young people could be given the right to scrub past indiscretions from social media. We may see a bill very shortly.

Whatever the practicalities of delivering on such a promise, though, the changing regulatory approach to management of data has huge implications for advisers, platforms, providers, insurers and fund managers.

The key deadline is 25 May 2018 when the EU-wide General Data Protection Regulation (GDPR) comes into force and, while it will be interesting to see if the expected Data Protection bill puts a British spin on things, few expect the UK regime to diverge significantly – if at all.

Advisers may point out that next May is a merely a matter of months before the UK’s scheduled exit from the European Union but it is one of many pieces of legislation – MiFID II being another case in point – that the UK is going to embrace regardless of the outcome of the Brexit negotiations.

As is par for the course, the new requirements come along with expanded fining powers (up to 4% of turnover) for the relevant regulator – in this case the Information Commissioner’s Office (ICO), which will, incidentally, be enforcing the pension cold-calling ban. There is some good news, however, as the ICO is offering some very practical help with the process – though, be warned, it suggests this involves 12 steps!

We will not list all the requirements and suggestions here but, in summary, advisers need to assess what information they hold and why, for how long and for what purpose. They should ensure they have processes to remove information they no longer need to hold and for which they do not have permission from the individual concerned. The ICO suggests you may need to complete a data audit.

Advisers need to communicate clearly what information is held, why and for what purpose with their clients – so this development requires a lot more detail and engagement. Pre-ticked boxes accompanying generalised statements simply will not do.

Advisers may point out that a right to be forgotten contrasts dramatically with a whole range of financial services specific rules, including MiFID II, which requires them to hold on to information – in other words, to keep records – but firms will need to ensure their approach lines up. You may, for example, have to retain information about a past transaction. You may not be able to email that person to market a new service.

Advisers will also need to have processes for reviewing their information and for transferring data to other firms safely and this will likely involve a new contractual obligation between the adviser as ‘data controller’ and other firms, probably designated as ‘data processors’.

They will need to be able to furnish information – to individuals who request it – in a secure and clear format within 30 days, which is 10 days less than now. Clearly this new right to portability of information for individuals could be something that helps advisers when they onboard clients but it comes with potential obligations for advisers too.

Obviously the regulation presents a very different challenge for different types of business – a stable financial-planning business with strong relations with say up to 100 clients will have much less to do to comply than an ambitious consolidator or indeed a business with robo or hybrid advice aspirations and a bigger client base. But any firm that markets its services will need to pay heed to the new rules.

Business Opportunities
We therefore suggest firms of all sizes think long and hard about how this may affect them. Furthermore, while very many of these changes come under the overall heading of compliance – only with a different regulator – we also suggest firms do not place a purely compliance frame on this. To put it another way, while meeting the demands of the GDPR is obviously a new and unwelcome cost of doing business, there are opportunities too.

First, it is in every adviser’s interests to have as secure an approach to client data as possible. The fact it requires communication and even contractual agreements with your business partners should mean the whole process is actually more resilient.

Second, it may give an adviser the opportunity to understand the data they hold and why – though we can envisage specific challenges. Acquiring firms may, for example, have to pay particular attention to the rules around emailing an underserved part of an acquired firm’s database.

Third, this could actually dovetail with MiFID II – a regulation that demands the exchange of a lot more data between advisers, platforms, fund managers and the regulator.

Though advisers’ attention may have been drawn to the MiFID requirements around taping or noting calls and meetings – especially those involving transactions – we think the more significant measures may prove to be those around charges disclosure and alerting clients to a 10% fall in a portfolio or fund over a quarter.

Hence our final thought – Mifid II requires a much greater exchange of information along the chain of businesses involved in serving an investor. This ranges from fund managers who are likely to need some understanding of their end-investor to advisers who may receive and be expected to disclose more in terms of the breakdown of charges and performance. This could be an excellent opportunity for advisers to align their data and communications approach and meet the regulations as well.

As we say, GDPR does represent an increased burden in terms of time and money, but it may be a chance to make sure you are following best practice too – which in turn could help with acquiring and retaining clients.

Article by:

Marilyn Cole

SHARE:

9 August 2017

Six mini-revolutions from Open Banking which Space clients should look out for

9 September 2017

Searchers, choosers and reviewers – what do the FCA’s customer types tell us?